Split TODO.md into todo/ folder by topic (completed tasks removed)

todo/01-css-semantic-refactor.md

@@ -0,0 +1,59 @@
+# CSS & Semantic HTML Refactor
+
+## CSS class audit: replace with semantic selectors (`admin.css` / `main.css` / `tfe.css` / `search.css`)
+
+- [ ] **`admin.css`**: Replace `.admin-main` with `.admin-body main`
+- [ ] **`admin.css`**: Replace `.admin-page-title` with `.admin-body main > h1`
+- [ ] **`admin.css`**: Replace `.admin-alert` / `.admin-alert--error` / `.admin-alert--success` with `[role="alert"]` / `data-type="error|success"` attribute
+- [ ] **`admin.css`**: Replace `.admin-form-row` with `.admin-body form > div` or CSS grid on `<form>` children
+- [ ] **`admin.css`**: Replace `.admin-label` with `.admin-body form label`
+- [ ] **`admin.css`**: Replace `.admin-input` / `.admin-select` / `.admin-textarea` with native element selectors
+- [ ] **`admin.css`**: Replace `.admin-hint` with `.admin-body form small`
+- [ ] **`admin.css`**: Replace `.admin-table` with `.admin-body table`
+- [ ] **`admin.css`**: Replace `.admin-fieldset` / `.admin-fieldset-legend` with `.admin-body fieldset` / `.admin-body legend`
+- [ ] **`main.css`**: Replace `.card__caption` with `.home-body .cards-container li p` or `li > a > p`
+- [ ] **`main.css`**: Replace `.card__media` with `.home-body figure`
+- [ ] **`tfe.css`**: Replace `.tfe-meta-list` selectors with `article dl`, `article dt`, `article dd`
+- [ ] **`tfe.css`**: Replace `.tfe-media-block` with `aside figure`
+- [ ] **`tfe.css`**: Replace `.tfe-file-caption` with `aside figcaption`
+- [ ] **`search.css`**: Replace `.repertoire-col > h2` — use `.repertoire-index section > h2`
+- [ ] **`system.php`**: Move inline `<style>` block to `system.css`
+
+## Template HTML changes to match
+
+- [ ] In all admin templates, replace `<p class="admin-hint">` with `<small>` elements
+- [ ] In `tfe.php`, remove `class="tfe-meta-list"` — target via `article dl`
+- [ ] In `tfe.php`, remove `class="tfe-media-block"` — target via `aside figure`
+- [ ] In `tfe.php`, remove `class="tfe-file-caption"` — target via `aside figcaption`
+- [ ] In `index.php`, remove `class="card__caption"` — target via `li > a > p`
+
+## Scattered inline styles in templates
+
+- [ ] `tfe.php` line 146: `style="align-items:start;"` → `.tfe-meta-item--top` in `tfe.css`
+- [ ] `tfe.php` lines 148, 170-172, 193: `font-style:italic`, `margin-top:1.5rem`, `font-size:.88rem;color:#666`, `color:#999;font-style:italic` → `.tfe-note-value`, `.tfe-back-link`, `.tfe-restricted` in `tfe.css`
+- [ ] `admin/edit.php`: multiple `style=` on `.admin-form-row` and banner preview → modifier classes in `admin.css`
+
+## Admin semantic HTML (sections IX–XVI)
+
+- [ ] **`add.php`/`edit.php`**: Replace `<div class="admin-form-row">` with CSS grid on `<form>` children (~20 divs in add.php, ~22 in edit.php)
+- [ ] **`add.php`/`edit.php`**: Replace inner wrapper `<div>` in multi-control rows — use `<small>` for hints, remove the wrapper div
+- [ ] **`add.php`/`edit.php`**: Replace `<div class="admin-checkbox-list">` with `<ul>`; each `<label class="admin-checkbox-label">` becomes `<li>` containing `<label>`
+- [ ] **`add.php`/`edit.php`**: Replace `<div class="admin-submit-wrap">` — remove; apply styles directly to `form > button:last-child`
+- [ ] **`add.php`/`edit.php`**: Replace `<div class="admin-alert admin-alert--error/--success">` with `<p role="alert">` / `<p role="status">`
+- [ ] **`index.php`**: Replace `<div class="admin-stats">` / `<div class="admin-stat">` children with `<dl>/<dt>/<dd>`
+- [ ] **`index.php`**: Replace `<div class="admin-maintenance-bar">` with `<aside role="status">` or `<p role="status">`
+- [ ] **`index.php`**: Add `role="toolbar" aria-label="Actions groupées"` to `<div class="admin-bulk-actions">`
+- [ ] **`index.php`**: Add `scope="col"` to all `<th>` cells in the admin table
+- [ ] **`index.php`**: Add non-colour indicator + `aria-label="Statut : …"` to status badge `<span>` elements
+- [ ] **`tags.php`**: Add `scope="col"` to `<th>` cells
+- [ ] **`tags.php`**: Move inline `style="margin-top:.35rem;"` on forms → `.admin-inline-form + .admin-inline-form` selector
+- [ ] **`thanks.php`**: Replace `<div class="admin-thesis-info">` with `<section>` + `<h2>` heading; CSS targets `main > section`
+- [ ] **`account.php`**: Replace `<div class="admin-account-status">` with `<dl>`; `__row` → `<div>`, `__label` → `<dt>`
+- [ ] **`account.php`**: Replace `<div class="admin-danger-zone__description">` with `<p>`
+- [ ] **`account.php`**: Move `style="margin-top:3rem;"` on danger zone heading → CSS modifier class
+- [ ] **`login.php`**: Wrap login content in `<main>` (currently no main landmark)
+- [ ] **`login.php`**: Extract inline styles on `.admin-form-row` and `.admin-submit-wrap` → `.admin-form-row--compact` modifier in `admin.css`
+
+## Favicon
+
+- [ ] **`admin_favicon.svg` used as public-facing favicon** — rename or create a distinct `favicon.svg` so admin and public can diverge without naming confusion

todo/02-php-components.md

@@ -0,0 +1,31 @@
+# PHP Components (Reusable Partials)
+
+## Form field partials — `templates/partials/form/`
+
+- [ ] **`text-field.php`** — accepts `$name`, `$label`, `$value`, `$required`, `$placeholder`, `$hint`; renders the `<div>…<label>…<input>…<small>` pattern used ~15 times across `add.php` and `edit.php`
+- [ ] **`select-field.php`** — accepts `$name`, `$label`, `$options[]`, `$selected`, `$required`; renders `<div>…<label>…<select>…</div>` pattern used ~6 times
+- [ ] **`checkbox-list.php`** — accepts `$name`, `$label`, `$options[]`, `$checked[]`; renders the checkbox group pattern (languages, formats) used ~4 times across `add.php` and `edit.php`
+- [ ] **`file-field.php`** — accepts `$name`, `$label`, `$accept`, `$hint`, `$multiple`; renders file input pattern used 3 times
+- [ ] **`jury-fieldset.php`** — entire jury composition fieldset + JS duplicated verbatim between `add.php` and `edit.php`; extract into one partial accepting `$juryPresident`, `$juryPromoteur`, `$juryPromoteurExt`, `$juryLecteurs[]`
+
+## Shared UI partials — `templates/partials/`
+
+- [ ] **`pagination.php`** — pagination nav is duplicated between `index.php` and `search.php`; unify into one partial accepting `$page`, `$totalPages`, `$baseParams[]`
+- [ ] **`status-badge.php`** — published/pending badge + access badge pattern repeated in `index.php` admin table rows; extract into a partial
+- [ ] **`admin-alert.php`** — rename/merge `flash-messages.php` to also handle the 3 different legacy flash key patterns (`$_SESSION['error']`, `$_SESSION['admin_error']`, `$_SESSION['edit_error']`, etc.) that pages still consume manually instead of via `App::consumeFlash()`
+
+## Controller Extraction (In Progress)
+
+- [ ] Extract `SearchController` — most complex public page
+- [ ] Extract `SystemController` — biggest single-file win, 500→8 lines
+- [ ] Extract `ThesisEditController` — merges `edit.php` + `actions/edit.php`, deduplicates jury fieldset
+- [ ] Extract remaining controllers one by one
+- [ ] Consolidate action handlers into controller methods
+- [ ] Unify flash message keys project-wide to `_flash_error` / `_flash_success`
+- [ ] Move OG tag construction into controller logic
+- [ ] Extract inline CSS/JS from `system.php` into separate assets
+
+## Backend Maintenance
+
+- [ ] **`RateLimit` uses per-file JSON on disk** — consider switching to APCu or SQLite; at minimum move cache dir to `/tmp` or `storage/cache/` excluded from deploy rsync
+- [ ] **`apropos.php` contacts and credits are hardcoded** — names, roles, emails (Laurent Leprince, Xavier Gorgol, Brigitte Ledune) live in PHP/HTML; move into the `about` page Markdown or a config array

todo/03-system-cache.md

@@ -0,0 +1,27 @@
+# System Page Caching — Database-Backed Status Cache
+
+## Problem
+
+The admin system page (`/admin/system.php`) runs expensive operations on every load:
+- `systemctl` subprocess calls (~4 checks × ~100ms each)
+- `curl` HTTP self-check (~200-500ms)
+- `disk_total_space()`/`disk_free_space()` (fast but unnecessary per-request)
+- Log file `tail` + `filesize` + `filemtime` (I/O bound)
+- Nginx config file reading
+
+## Solution: `system_cache` table + background refresh
+
+- [ ] **Add `system_cache` table** to schema: `CREATE TABLE system_cache (key TEXT PRIMARY KEY, value TEXT NOT NULL, updated_at INTEGER NOT NULL)`
+- [ ] **Add migration** `storage/migrations/007_system_cache.sql`
+- [ ] **Add `SystemCache` class** (`src/SystemCache.php`) with methods:
+  - `get(string $key, int $maxAgeSec = 60): ?array`
+  - `set(string $key, array $data): void`
+  - `isStale(string $key, int $maxAgeSec = 60): bool`
+- [ ] **Refactor `system.php` status section**:
+  1. Check `SystemCache::get('system_status', 120)` — 2-minute TTL
+  2. If cache hit → render from cache, show "mis en cache il y a X sec" label
+  3. If cache miss → run checks, store in cache, render
+  4. Add `?refresh=1` GET param to force-bypass cache
+- [ ] **Refactor `system.php` log sections** — avoid re-reading on every tab switch; only read the active tab's log
+- [ ] **Cache disk info** separately with 5-minute TTL: `SystemCache::get('disk_info', 300)`
+- [ ] **Cache PHP info** separately with 1-hour TTL: `SystemCache::get('php_info', 3600)`

todo/04-accessibility.md

@@ -0,0 +1,78 @@
+# Accessibility Audit (WCAG 2.1 AA)
+
+## 1.1.1 Non-text content (alt text)
+
+- [ ] **Admin `<nav>` "✕ Réinitialiser" and "✕" remove buttons** — wrap `✕` in `<span aria-hidden="true">✕</span>`; add `aria-label="Supprimer ce membre du jury"` on jury remove buttons in `add.php`/`edit.php`
+
+## 1.3.1 Info and relationships
+
+- [ ] **Admin form rows: multi-input rows (languages, formats)** — `<label class="admin-label">` without `for` labels a group of checkboxes; replace with `<fieldset>/<legend>`
+
+- [ ] **Status badges in `admin/index.php` convey state by colour alone** — add visible non-colour distinction (prefix icon with `aria-hidden="true"`) and `aria-label="Statut : Publié"` on badge `<span>`
+
+## 1.3.4 / 1.3.5 Orientation & Input purpose
+
+- [ ] **No `autocomplete` attributes on personal data fields** — `add.php`/`edit.php`: add `autocomplete="name"` on author fields, `autocomplete="email"` on mail fields
+
+## 1.4.1 Use of colour
+
+- [ ] **Active nav link has no non-colour indicator** — must include a non-colour signal (underline, border, weight change) alongside `aria-current="page"`
+
+- [ ] **Admin purple `#9557b5` as text colour on dark `#1a1a1a`**: 3.57:1 — audit every use of `var(--admin-purple)` as text; ensure it is only used at large-text sizes (≥18pt/24px or bold ≥14pt)
+
+## 1.4.4 Resize text
+
+- [ ] **Verify no text is set in `px`** — ensure `width: 14px; height: 14px` on checkboxes and similar elements do not prevent text scaling
+
+## 1.4.12 Text spacing
+
+- [ ] **No text-spacing override test done** — verify WCAG 1.4.12 bookmarklet does not cause content clipping (especially `overflow: hidden` on `.card__media` and tight `aspect-ratio: 4/3`)
+
+## 2.1.1 Keyboard
+
+- [ ] **Jury "✕" remove buttons in `add.php`/`edit.php`** — add `aria-label` for keyboard discoverability
+
+## 2.4.3 Focus order
+
+- [ ] **On `tfe.php` the `← Retour` back link is at the bottom of the left column in DOM** — consider moving above `<h1>` or adding a copy at the top so keyboard users can exit quickly
+
+## 2.4.4 Link purpose
+
+- [ ] **Home page cards: if two theses share the same title, identical link texts exist** — append year in `<span class="sr-only">` to disambiguate
+
+## 2.5.3 Label in name
+
+- [ ] **`<a class="clear-filter">✕ Réinitialiser</a>`** — wrap `✕` in `<span aria-hidden="true">`
+- [ ] **Admin jury remove buttons `✕`** — `aria-label="Supprimer ce lecteur"` replaces the symbol
+
+## 2.5.5 Target size
+
+- [ ] **Pagination buttons are `2rem` (32px)** — increase to `min-height: 2.75rem; min-width: 2.75rem` (44px)
+- [ ] **Admin `.admin-btn-sm` (~28px)** — increase to minimum 32px with padding
+- [ ] **Admin bulk action buttons and jury remove `✕` buttons (~28px)** — increase target size
+
+## 3.1.1 Language of page
+
+- [ ] **All public pages have `<html lang="fr">`** — verify this is true after any template changes ✓ (no action needed unless templates change)
+
+## 3.3.1 Error identification
+
+- [ ] **`add.php`/`formulaire.php` validation errors** — add `role="alert"` to error div; add `autofocus` to first invalid field when re-rendering form with session error data
+
+## 3.3.2 Labels or instructions
+
+- [ ] **Admin jury "Lecteur·ices" label has no `for` attribute** — wrap lecteur rows in `<fieldset>/<legend>` or use `aria-describedby`
+
+## 4.1.2 Name, role, value
+
+- [ ] **Custom "Externe" checkbox for jury members has no group context** — add `aria-label="[Nom du promoteur] est externe"` dynamically via JS, or `aria-describedby` pointing to the adjacent name input
+
+- [ ] **`<video>` elements on `tfe.php` have no captions** — add `<track kind="captions">` slot in template; document caption requirement in admin upload form
+
+- [ ] **Admin `<select>` for visibility/access in `edit.php` uses truncated option text** — use full description in option text (or `title` attribute); keep truncated text only for visual display
+
+- [ ] **Bulk publish/unpublish JS does not announce result to screen readers** — add `role="alert"` to error messages and `role="status"` to success messages across all admin pages
+
+## 5 - Motion & user preferences
+
+- [ ] **`prefers-color-scheme` not respected** — site has fixed white public / fixed dark admin themes; consider a dark-mode variant for public pages (not a WCAG failure, but quality-of-life)

todo/README.md

@@ -0,0 +1,10 @@
+# TODO Index
+
+Pending tasks split by topic. Completed tasks have been removed.
+
+| File | Topic |
+|------|-------|
+| [01-css-semantic-refactor.md](01-css-semantic-refactor.md) | CSS class audit, semantic HTML for templates (public + admin), inline style extraction, favicon |
+| [02-php-components.md](02-php-components.md) | Form field partials, shared UI partials, controller extraction, backend maintenance |
+| [03-system-cache.md](03-system-cache.md) | `system_cache` table, `SystemCache` class, `system.php` refactor |
+| [04-accessibility.md](04-accessibility.md) | WCAG 2.1 AA — remaining failures grouped by success criterion |